I was recently reading this article about leveraging iptables with SELinux :
https://www.linux.com/learn/tutorials/421152-using-selinux-and-iptables-together
I was wondering if a similar union could allow for the following situation to be accomplished:
I have a Red Hat Enterprise Linux 6.1 server sharing several storage LUNs as iSCSI targets via the native iSCSI target implementation in that distribution. For technical reasons several of the LUNs must be exported without CHAP authentication however I was wondering if I could leverage iptables secmark in conjunction with SELinux to accomplish the following:
1) Client IP connects to the iSCSI target service. Connection is tracked and secmark'd.
2) Client IP discovers available LUNs on the iSCSI server
3) Client IP logs into a LUN which has an source address access rule preventing access.
4) When the iSCSI target service tries to access the LUN to which the Client IP has no access, IPtables severs the connection via TCP reset / reject.
As far as I can tell "tgtd" (the iSCSI target daemon) neither supports IP acl's or is SELinux aware, however I was hoping there might be a way to create an association between connecting ip / process ID on the server and file/block device access such that I could use IPtables to terminate the unauthorized connection.
If anyone has any thoughts on if this would be possible in one way or another I would love to hear about it.
Cheers,
--
Greg Procunier
UNIX Administrator III - Enterprise Servers and Storage
1 Robert Speck Parkway, Suite 400, Mississauga, Ontario L4Z 4E7
Office: 416-673-3320
Mobile: 647-895-2977
Email: gprocunier@xxxxxxxxxx
CONFIDENTIALITY WARNING This communication, including any attachments, is for the exclusive use of addressee and may contain proprietary and/or confidential information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. AVERTISSEMENT RELATIF À LA CONFIDENTIALITÉ Ce message, ainsi que les pièces qui y sont jointes, est destiné à l’usage exclusif de la personne à laquelle il s’adresse et peut contenir de l’information personnelle ou confidentielle. Si le lecteur de ce message n’en est pas le destinataire, nous l’avisons par la présente que toute diffusion, distribution, reproduction ou utilisation de son contenu est strictement interdite. Veuillez avertir sur-le-champ l’expéditeur par retour de courrier électronique et supprimez ce message ainsi que toutes les pièces jointes.
